CVE-2024-25145

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.11 Liferay DXP 7.4 before update 8 Liferay DXP 7.3 before update 4 Liferay DXP 7.2 before fix pack 17 Liferay Portal older unsupported versions Liferay DXP older unsupported versions

Description A stored cross-site scripting (XSS) issue in the Portal Search module's Search Result app allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content to the application.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.11, update to a version that includes the fix for this issue. For Liferay DXP 7.4 before update 8, apply update 8 to resolve the issue. For Liferay DXP 7.3 before update 4, apply update 4 to resolve the issue. For Liferay DXP 7.2 before fix pack 17, apply fix pack 17 to resolve the issue. For Liferay Portal and Liferay DXP older unsupported versions, there is no information about a newer version that contains a fix for this vulnerability.